Google's privacy changes: the silo breaker

Simpler privacy that paying customers won't face.

Google claims its new single privacy policy covering 60 services simplifies privacy for users, but the underlying data sharing the new terms authorise has rattled government, regulators and privacy advocates.

Following last Tuesday's unveiling of the new policy and terms of service the search giant has been forced to issue a number of statements clarifying the limits of its new approach to personal data.

"We’re not collecting more data about you. Our new policy simply makes it clear that we use data to refine and improve your experience on Google — whichever products or services you use. This is something we have already been doing for a long time," wrote Google policy manager Betsy Masiello in an update last Thursday in response to "misconceptions" about the change.

"We’re making things simpler and we’re trying to be upfront about it. Period."

But what has irked some is that the unified privacy policy will come with increased data sharing as Google tries to build a clearer picture of how a single user behaves across all its services, such as YouTube, Gmail and Google+.

Google's privacy chief Alma Whitten explained that, "If you’re signed in, we may combine information you've provided from one service with information from other services. In short, we’ll treat you as a single user across all our products, which will mean a simpler, more intuitive Google experience."

The purpose of the changes are to provide more targeted search results, ads and content, consistency across its products and additional services like notifications that a user will be late for a meeting based on their location, calendar and local traffic conditions, Google explains on its FAQ page.

Lawmakers in the US, however, are concerned by the absence of an option to opt-out of Google's new data sharing activities.

They plan to petition the Federal Trade Commission to investigate whether the policy update breaches Google's settlement with it over the 2010 Buzz breach, which exposed Gmail users' contact lists. That settlement can be found here [pdf].

There were also initial fears that data sharing would impact US Government customers that rely on its Google Apps for Government (GAFG).

Karen Evans, the former head of the Office of Management and Budget's technology division, and Jeff Gould, CEO of Peerstone Research, penned a stern note advising Google to suspend the new policy for Government clients.

"We recommend that Google immediately suspend the application of its new privacy policy to GAFG users. The default setting for GAFG and for all similar services from other vendors should be no information sharing at all between services. Furthermore, Google should clarify where its consumer product line ends and its enterprise products begin," the pair wrote.

Those fears turned out to be unfounded after Google's vice president Amit Singh swiftly issued a statement confirming that its enterprise customers would not be subjected to the new approach.

"As always, Google will maintain our enterprise customers' data in compliance with the confidentiality and security obligations provided to their domain," Singh said.

"The new Privacy Policy does not change our contractual agreements, which have always superseded Google's privacy policy for enterprise customers."

Roger Clarke, chair for the board of the Australian Privacy Foundation has also raised concerns with Australia's competition regulator and the Office of the Australian Information Commission, arguing [pdf] that the retrospective application of the new terms meant Google had reneged on the terms users previously agreed to.

"The new Terms purport to apply retrospectively to all existing personal data held by Google. This represents a renege on the undertakings previously given. It is likely to be in breach of consumer protection laws in a range of jurisdictions, particularly in Europe and Australia," Clarke wrote.

Clarke said Google should be forced to "quarantine" all data it acquired prior to the date the new terms come into effect and not apply them until users provide "express, free and informed consent."

"This requires that the individual have a choice to continue using the services, even though they have denied this particular consent," Clarke wrote.